Tags

ATM Skimming Controls and Their Implications for NFC

A recent report at the bankinfosecurity.com web site titled “HSBC ATM Skimmer Arrested”
notes a statement by the US Attorney’s Office and the U.S. Secret
Service announcing that New York law enforcement officials have arrested
and charged a Romanian man for the recent spate of ATM skimming attacks
in the New York area.

This latest series of skimming attacks is just one of several high
profile ATM skimming attacks across the country lately. It seems to be a
favorite of organized criminals and it makes sense because it requires a
certain level of investment in producing credible functional card
readers that can be fitted over the original card reader. They have to
be designed to be quickly installed over existing hardware and have to
be convincing enough to fool customers.

Given the prevalence of this real world problem, I think it’s worth
taking threat model/security controls based look at ATM skimming attacks
to get to the essence of the problem.

The Scenario

The basic scenario in a skimming attack works like this:

The attacker installs a rouge card reader on top of the existing
card reader. The attacker has to do this in a way that does not raise
suspicion with the ATM owners or the people using the ATM.

As victims use the compromised ATMs, the rogue card reader passes
through the card info to the legitimate card reader so that the customer
can complete the transaction. Meanwhile, the rogue card reader is
storing the info it reads off the cards’ magnetic stripes. In some more
sophisticated attacks, the rogue readers can also capture the key
presses on the ATMs’ keypads so it can capture PIN numbers as well.

The attacker returns to the ATM and retrieves the card reader. The
attacker extracts the stored card info and uses the stolen information
in fraudulent transactions. Typically as quickly as possible before the
fraud has been detected.

The ATM skimming attack is basically a physical manifestation of a
classic “man in the middle” attack. So what sorts of ways can you thwart
a man in the middle attack and how can you apply them to this scenario?

Detect The Man In The Middle Before He Does Harm

Owners of gas stations that are susceptible to ATM skimming attacks
have been encouraged to shore up the physical security of gas pumps.
Often they are unlocked or protected by simple, common PIN numbers that
are easily guessed. Fixing these basic physical security problems is
simple in concept, but often difficult in the gas station/convenience
store environment. The staff turn over is high and enforcing effective
key management practices in these environments can be difficult.

Banks, on the other hand, have the resources to invest in the
physical security of ATMs, and yet they are still vulnerable to
installation of skimmers. The BankInfoSecurity article notes the reuse
of existing controls to help manage the detection of skimmers being
installed: video cameras:

“Banking institutions and merchants have
improved monitoring, through physical inspection and surveillance
video, as well as fraud-detection techniques and systems. "Those cameras
have been active at ATMs for a long time, but it's a relatively new
development that someone is actually monitoring the activity that the
camera is recording," [AITE Group Research Director Julie] McNelley
says.”

Surveillance cameras have been used for a long time to collect
evidence in criminal cases. But the problem is that there is way to much
of it to be monitored in real time. That’s why projects like the IBM Smart Surveillance System
are important. We need automated systems that are smart enough to
analyze what’s captured in a video and determine the difference between a
customer legitimately using an ATM and an attacker installing a skimmer
and raise a red flag when it detects the latter.

Require Out Of Band Knowledge

I’ve seen some card reader systems that request extra information
during the transaction that the customer has to know independently of
the information exchanged during the transaction.

For example, I’ve seen card reader based terminals ask for “billing
zip code” during the transaction. That information is not stored on the
card in any fashion so it’s out of band information that the end user
has to know to complete the transaction. Likewise, online transactions
often require the “CVV” number on the back of the card in order to
complete a transaction. I have never seen a physical card reader system
ask for this information, but I don’t see any reason why it couldn’t.

What would this out of band data protect? It might protect the
particular transaction from being performed by an attacker at that time.
It effectively helps authenticate the identity of the person initiating
the transaction by knowing something about the account and/or proving
physical possession of the card.

The problem is that the data on the magnetic stripe itself is
vulnerable and fraud can be committed knowing just that information
contained on the magnetic stripe. So while it’s helpful in
authenticating the end user, it’s not particularly effective at
preventing this man in the middle attack.

Protect the Information Exchange

The other basic protection against man in the middle attacks is to
protect the information exchange in a way that renders the captured
information useless. The problem with this approach is that the
protection has to be built into the standards being used, which is not
the case with magnetic stripe-based technology. The article again quotes
Julie McNelley:

“The organized crime rings behind much of the skimming continue to
target ATMs and POS devices, and will continue to do so as long as our
cards rely on mag-stripe technology.”

The much of the information on a magnetic stripe of a card can be
read by anyone with physical access to the mag stripe data. It’s not
encrypted or otherwise protected in any way. So as long as the protocols
for using card-based point of sale systems relies on them, it will be
impossible to secure the exchange of transaction information.

Implications for Near Field Communication

This leads most people to raise the issue of Near Field
Communications (NFC) based technology instead. As I understand it, the
current NFC specifications do not address protection against man in the
middle attacks. This is largely due to the fact that the two endpoint
devices have to be in such close proximity to each other, but the ATM
skimming cases have proven that it’s possible for man in the middle
attacks to occur even when the two devices in the transaction have to
touch each other. So the “limited range of NFC devices argument doesn’t
hold up, in my opinion.

Could NFC transactions be secured against man in the middle attacks? Probably. “Security in Near Field Communication (NFC)”
by Ernst Haselsteiner and Klemens Breitfuß is probably the most cited
discussion of this topic and in this paper they describe how it is
theoretically possible for two NFC devices to establish a secure channel
that would be able to protect, or at least detect, the presence of a
man in the middle attack. Also, it has to be noted that many of the NFC
transactions will have active, powerful computation at both ends of the
transaction so the data exchange protocols layered on top of the base
NFC protocol could leverage cryptographically strong key exchange
algorithms to secure the channel.

Bottom Line

For the foreseeable future, it looks like we are going to have to
rely on detection controls to detect the presence of skimmers on card
readers. There does not appear to be any practical method for securing
the magnetic stripe data on cards on the horizon. There are a variety of
groups developing NFC-based payment standards and it will be
interesting to see how they compare in terms of protections against man
in the middle attacks. One thing’s for sure, I wouldn’t trust the
“limited distance as security” argument from anyone. The current rash of
ATM skimming attacks prove that physical distance is not an adequate
control.